Insider Threat: Common Myths and Misconceptions

Insider threat is a growing area of concern and confusion among security practitioners. Typically accustomed to concentrating their resources on combating external threats, many security teams are eager yet unsure of how to combat threats that arise internally. This uncertainty, unfortunately, is often exacerbated by numerous common myths and misconceptions about insider threat, some of which include:

Insider Threats are Always Intentional and Harmful

Much of the confusion around insider threat starts with its definition. Factors ranging from fear to hype to inaccurate reporting have given rise to the widespread perception that the most malicious and damaging types of insider attacks—such as those involving corporate espionage, for example—are representative of all insider threats. But similar to how the majority of network security threats are far more common yet far less damaging than APTs, most insider threats are relatively tame and unsophisticated compared to how they are often perceived.

There are various accepted definitions of an insider threat, but most agree that it:

- Is a threat to an organization that originates from within that organization;

- Involves a current or former employee, contractor, or partner who has or had authorized access to an organization’s network, system, or data, and who misuses that access;

- Can be intentional when a user purposefully subverts a control (some practitioners refer to intentional insider threats as malicious);

- Can be unintentional when a user subverts a control not purposefully;

- Can be harmful or not harmful.

In many cases, unintentional insider threats are overlooked. These can include situations where a user accidentally sends an email containing sensitive information to the wrong recipient, for example. Though the user did not intend to engage in potentially threatening behavior, their action could have had serious ramifications for the company, potentially causing the same amount of harm as an intentional insider threat. Similar confusion is also common with regard to insider threats that do not result in harm. The aforementioned unintentional insider threat would only be harmful if the email recipient had misused the contents of the email and/or failed to destroy it.

But even when an insider threat is intentional, it is not necessarily harmful. For example, let’s say a user forgets their login credentials for a company system. In response, they choose to access the system by obtaining another user’s credentials even though they are aware that such an action goes against company policy. This threat would be intentional because the user knew they were subverting a control and did so nonetheless. But unless the user had abused the credentials to the detriment of the company, the threat, though intentional, would likely not cause harm.

It’s important to recognize that the definition of an insider threat has implications beyond just semantics. Regardless of whether an insider threat is intentional or unintentional, and harmful or not, combating these threats effectively requires a comprehensive understanding of what they are and how they originate.

If You Have an Insider Threat Resource, You Have an Insider Threat Program

The composition of an insider threat program (ITP) is another common area of confusion. Specifically, many organizations assume that an effective ITP can comprise any resource or combination of resources dedicated to addressing insider threat.

In some cases, this assumption is shaped by the increasing number of tools being marketed as “silver bullets” or “panaceas” for insider threat. While various types of alerting and user behavior analytics (UBA) tools, for example, can provide immense value to a well-structured and equipped ITP, no such tool can serve as a replacement for an entire program. Believing otherwise can lead an organization to assume they are prepared and able to address insider threats when they are not.

In reality, an effective ITP requires a specific combination of tools, datasets, expertise, personnel, and cross-functional collaboration, along with comprehensive and integrative programmatic and investigative functions. These requirements are generally consistent regardless of an organization’s size. Smaller organizations can scale their ITP accordingly by sharing responsibilities among personnel without having to invest in all of the often-expensive tools typically employed by larger organizations. But even with the requisite resources and controls in place, initiating and developing an ITP can be a lengthy and complex endeavor, which is why organizations looking to do so are often encouraged to seek external support.

Preventing Insider Threat Requires an Insider Threat Program

But before an organization even considers starting such a program, it’s important to understand that the primary objectives of an ITP are to deter, detect, and respond to insider threats—not prevent them. The issue isn’t that insider threats can’t be prevented, but rather it’s that prevention occurs largely at the information security level, not the ITP level. Many of the same basic, best-practice information security controls that help organizations mitigate threats such as phishing and malware infections can also help prevent insider threats.

These controls include having robust identity and access management (IAM) processes, revoking former employees’ access to company systems and assets in a timely manner, blocking users from accessing personal email, social media, and external instant messengers from inside the network, restricting the use of flash drives and external media storage devices, enforcing bring your own device (BYOD) policies, and ensuring all users are trained thoroughly and often on security awareness and hygiene best practices, to name a few.

This is why it’s crucial for an organization to achieve and maintain an effective information security program before initiating an ITP. Even the most sophisticated and comprehensive ITP will provide little value if the organization is unable to uphold adequate standards of information security.

The above list is meant to highlight a few of the most common and impactful ways in which the area of insider threat is misunderstood, but this list is by no means comprehensive. As more organizations recognize the critical need to address this threat, it’s imperative that as security practitioners, we acknowledge the often-confusing nature of insider threat, seek to dispel misconceptions, and provide clear, accurate insight whenever possible.

Josh Lefkowitz is the CEO of Flashpoint, the global leader in Business Risk Intelligence (BRI) from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Lefkowitz also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.